Collection #1

Collection #1 is almost two times larger than the previous largest credential exposure.

This is not just a list. It is an aggregated, interactive database that allows for fast (one second response) searches and new breach imports. Given the fact that people reuse passwords across their email, social media, e-commerce, banking and work accounts, hackers can automate account hijacking or account takeover.

The dump includes a file called “imported.log” with 256 corpuses listed, including and with added data from all those in the Exploit.in and Anti Public dumps as well as 133 addition or new breaches.

Structure

The data is structured in an alphabetic directory tree fragmented in 1,981 pieces to allow fast searches.

Freshness

Although the majority of the Collection #1 breaches are known within the Breach and Hacker community, 14% of exposed username/passwords pairs had not previously been decrypted by the community and are now available in clear text.

This new breach adds 385 million new credential pairs, 318 million unique users, and 147 million passwords pertaining to those previous dumps.

Recount

Download

Conclusion

This experience of searching and finding passwords within the collect #1 database is as scary as it is shocking. The best ways to get around this is use a password manager and create complex 12+ character long strings and rotate (at least your critical credentials) regularly.

Overview

If you need to build your own Postfix, Dovecot, SpamAssassin and Roundcube server for your own mail hosting, look no further than this all in one Ansible script. Just configure the global configuration file, run the script and BAM, you have a fully functioning mail server! This script completes an end to end configuration of the server and covers the following:

Apache

PHP 7.2

MySQL

Postfix

Dovecot

Letsencrypt

Sieve

SpamAssassin

Postgrey

iptables

Roundcube Webmail with managesieve & two_factor plugins

Test Bed

Ansible control server running Ubuntu 18.04 LTS

Test server running Ubuntu 18.04 LTS

Requirements

Ansible control server

SSH keys established between Ansible control server and destination server(s)

2x Public DNS A records pointing to the server to be set up

Role Dependancies

I use two Ansible Galaxy roles, one to setup iptables and one for Letsencrypt SSL certs (I was just too lazy to code that up all myself) You will need to run the following commands to download the Ansible Galaxy roles onto the Ansible control server:

Shell

1

ansible-galaxy install thefinn93.letsencrypt

Shell

1

ansible-galaxy install geerlingguy.firewall

Git Clone

I have all the yaml and conf scripts sitting in a public Github repository which can be cloned by running the following:

Shell

1

git clonehttps://github.com/chrisreeves-/ansible-mailserver.git

Conclusion

This will set up a complete mail server based on Digital Oceans how to and is expanded to include a few more services. I haven’t broken this script into roles yet and is in a “MVP” form for now. Questions and comments are always welcome as usual.

Overview

Changing your SSH keys is as important as changing your underpants daily, running this script on a frequent basis will ensure access to the servers are changed on a regular basis. Use Ansible to do ssh key rotation in your sleep!

Test Bed

Ansible control server running Ubuntu 18.04 LTS

Test server running Ubuntu 18.04 LTS

Requirements

Ansible control server

SSH keys established between Ansible control server and destination server(s)

A folder called “pubkeys” where the script is running from

Break Down

Creates a new directory on the remote server to generate the new keys on

Generates the new key pair in the newly formed folder

Copies the new public key to the local machine running the ansible script under /pubkeys/ and names it “id_rsa.%hostname%.pub

Removes existing private key

Removes existing public key

Moves new private key to the users .ssh folder

Moves new public key to the users .ssh folder

Changes new private key to read only

Invalidates existing keys and applies the public key copied to the local host to the server

Copies the new private key local host and changes the file to “id_rsa.%hostname%

Removes “newsshkey” folder on remote host as a clean up

ssh_key_rotation.yml

YAML

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

---

- hosts: test

tasks:

- name: Creates directory

file:

path: ~/.ssh/newsshkey

state: directory

- name: Create New SSH Key Pair

command: ssh-keygen -f id_rsa -t rsa -N '' -f ~/.ssh/newsshkey/id_rsa

- fetch:

src: ~/.ssh/newsshkey/id_rsa.pub

dest: pubkeys/{{inventory_hostname}}.pub

flat: yes

- name: Remove Old Keys

command: rm -rf ~/.ssh/id_rsa

- name: Remove Old Pub Key

command: rm -rf ~/.ssh/id_rsa.pub

- name: Move New Key

command: mv ~/.ssh/newsshkey/id_rsa ~/.ssh/

- name: Move New Pub Keys

command: mv ~/.ssh/newsshkey/id_rsa.pub ~/.ssh/

- name: Change id_rsa Permissions

command: chmod 400 ~/.ssh/id_rsa

- name: Set authorized key,removingalltheauthorizedkeyalreadyset

authorized_key:

user: root

key: '{{item}}'

state: present

exclusive: True

with_file:

-pubkeys/{{inventory_hostname}}.pub

- fetch:

src: ~/.ssh/id_rsa

dest: ~/.ssh/id_rsa.{{inventory_hostname}}

flat: yes

- name: Removing existing folder

file:

path: ~/.ssh/newsshkey

state: absent

Note: You will need to change/remove the “- hosts:” entry

Key Management

To fully automate this I have mounted a cifs share and created a symbolic link on the Ansible server from the ~/.ssh folder to the cifs share. All my other clients are set up the same way so when you update the key it copies the key to a central repository which all other clients are symbolically linked to.

Conclusion

This can be greatly be improved on but is a good starting point in the rotation of your ssh keys. I’m happy to hear suggestions on how this could be improved.

This Ansible script will fully rotate your MySQL root account passwords (or change any MySQL account passwords if you change the script) and implement my.cf so you don’t have to keep putting the password in. This took me a while to figure out, there are

Test Bed

Ansible control server running Ubuntu 18.04

Ubuntu 18.04 Bionic test server running mySQL 5.7.25

Requirements

Ansible control server

SSH keys established between Ansible control server and destination server

Overview

Install mySQL package with required dependancies

Stop mySQL service

Set mySQL environment variables

Start mySQL

Change mySQL root password to a mySQL native password (native is very important!)

etc/mysql/.my.cf

global-vars/config.yml

Execution

YAML

1

ansible-playbooksql.yml

Other Considerations

You will need to remove lines 7 to 19 if you are not installing MySQL for the first time.

If any applications are using the account you are rotating, the application will auth fail (I would hope your not using root for app authentication) – if you use this against any other username this will need to be considered.

Conclusion

The gotcha for a lot of people (from what I’ve read on blogs/github) is that when the mysql root password changes you also need to change it from “auth_socket” to “mysql_native_password”.

Considerations

Having this script on a gold imaged server set to auto run on login (with a restart afterwards) would be the best implementation of this. You wouldn’t need to use the source and destination either and just point to a local copy of newsid.exe. I did however write this with a remote copy of newsid.exe in mind.

You will need to change the source and destination to suit your needs.

This is written for Microsoft PowerShell Version 5+.

You could drop the “/n” in the newsid.exe switch so it does reboot on completion.

The “S-1-5-21-” at the beginning of the SID is always going to be the same.

Conclusion

With the ever increasing demand for automating the deployment of servers, this is as important as ever if you start interconnecting the automated servers.